Also known as Kernel Patch Protection, PatchGuard was designed to prevent running rootkits or other malicious code at kernel level on 64-bit versions of Windows. Dubbed GhostHook, the newly discovered attack method can completely bypass the protection, as long as the attacker has already managed to get a foothold on the vulnerable system.

“The GhostHook technique we discovered can provide malicious actors or information security products with the ability to hook almost any piece of code running on the machine,” CyberArk’s Kasif Dekel explains.

The attack, however, isn’t an elevation or an exploitation technique, and is intended solely for post-exploitation scenarios, when the attacker already has control over the asset, the researcher says. The attack, however, can provide rootkits with stealthy persistence on compromised systems.

Weaknesses in Microsoft’s implementation of Intel Processor Trace (Intel PT), specifically at the level where Intel PT communicates to Windows, make the attack possible, Dekel says.

Intel PT “provides low overhead hardware that executes tracing on each hardware thread using dedicated hardware” and can be used for various legitimate purposes, including performance monitoring, diagnostic code coverage, debugging, fuzzing, and more. However, it can also be abused for PatchGuard bypass.

By allocating “an extremely small buffer for the CPU’s PT packets,” the buffer space will be filled almost immediately and the CPU will jump to a PMI handler, which is code controlled by the attacker and designed to perform the “hook”. This eventually provides an attacker with control over how the operating system behaves.

The technique is very difficult to detect because it uses hardware to take over a thread’s execution and because kernel code/critical kernel structures aren’t being patched, Dekel says.

In Microsoft’s view, however, the issue isn’t critical and a security update won’t be released for it, although the researcher underlines “that PatchGuard is a kernel component that should not be bypassed,” specifically because it blocks rootkits from SSDT hooking and not code execution in kernel-mode.

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case,” a Microsoft engineer reportedly told the researcher.